What we can learn from LulzSec
Download as PPTX, PDF2 likes2,517 views
This document provides an overview of the hacktivist groups Anonymous, LulzSec, and Anti-Sec. It discusses their origins, key members, motivations, and notable cyber attacks. These include attacks on government websites in Tunisia and Egypt in support of protests, attacks on companies that cut ties with Wikileaks, and database intrusions targeting security firms and police organizations. The document suggests that while not especially advanced, these groups were highly persistent in their attacks. It recommends organizations focus on real security awareness and hiring penetration testers to identify vulnerabilities before attackers do.
![Membership
"[Anonymous is] the first Internet-based
superconsciousness. Anonymous is a group, in
the sense that a flock of birds is a group. How do
you know they're a group? Because they're
traveling in the same direction. At any given
moment, more birds could join, leave, peel off in
another direction entirely."
—Chris Landers. Baltimore City Paper, April 2, 2008](https://image.slidesharecdn.com/lulzsec-final-120619023224-phpapp01/85/What-we-can-learn-from-LulzSec-15-320.jpg)
![Mission Statement
We [Anonymous] just happen to be a group of
people on the internet who need — just kind of
an outlet to do as we wish, that we wouldn't be
able to do in regular society. ...That's more or
less the point of it. Do as you wish. ... There's a
common phrase: 'we are doing it for the lulz.‘
—Trent Peacock. Search Engine: The face of Anonymous, February 7, 2008.](https://image.slidesharecdn.com/lulzsec-final-120619023224-phpapp01/85/What-we-can-learn-from-LulzSec-16-320.jpg)
What we can learn from LulzSec
- 1. What we can learn from LulzSec PHDAYS 2012
- 2. About Me • Jerry Gamblin • Network Security Specialist – Missouri House Of Representatives • Jerry.gamblin@gmail.com • jerrygamblin.com • @jgamblin (twitter)
- 3. About Me
- 4. About Me
- 5. Why I am giving this talk…
- 6. Why I am giving this talk…
- 7. Why I am giving this talk…
- 8. Overview • The Players • The Vigilantes • The Tools • The Campaigns • What we learned. • How We Can Stop It.
- 9. The Players
- 10. Who is who? Anonymous Anti-Sec Lulzsec
- 11. Anonymous
- 12. Anonymous
- 13. Anonymous • First active as a hacking group in 2008 • Originated on: – 4CHAN – Futaba ( Japanese variant of 4CHAN) – Encyclopædia Dramatica
- 14. LOLCATS
- 15. Membership "[Anonymous is] the first Internet-based superconsciousness. Anonymous is a group, in the sense that a flock of birds is a group. How do you know they're a group? Because they're traveling in the same direction. At any given moment, more birds could join, leave, peel off in another direction entirely." —Chris Landers. Baltimore City Paper, April 2, 2008
- 16. Mission Statement We [Anonymous] just happen to be a group of people on the internet who need — just kind of an outlet to do as we wish, that we wouldn't be able to do in regular society. ...That's more or less the point of it. Do as you wish. ... There's a common phrase: 'we are doing it for the lulz.‘ —Trent Peacock. Search Engine: The face of Anonymous, February 7, 2008.
- 17. Not So Anonymous
- 18. What A Hacker Looks Like…
- 19. What A Hacker Looks Like?
- 20. LulzSec • Anonymous all-star team. • Had 4 to 9 active members. • Highly active and technical. • "Laughing at your security since 2011!"
- 21. Sabu
- 22. Anarchaos
- 23. Topiary
- 24. Kayla
- 25. TFlow
- 26. Viral
- 27. Recursion
- 28. Anti-Sec • Anti-Sec was the re-merger of lulzSec and anonymous in late June 2011.
- 30. The Vigilantes
- 31. th3j35t3r • @th3j35t3r • Anti-Jihad hacker • XerXes DDOS tool • Leads the anti-anonymous crusade on twitter • Went offline May 9th.
- 32. BacktraceSecurity • backtracesecurity.com • @backtracesec • Gave a talk at Defcon19 about exposing anon. – Anonymous and the rise of the Adhocracy
- 33. The Tools
- 34. IRC • Mostly on irc.2600.net • Anonymous channels – #Anonymous – #Antisec • Anti-anonymous channels – #AntiAntiSec – #Prosec
- 35. Twitter • Used mainly for press relations and public support. • Main accounts: – @anonymousirc – @anonymousabu – @youranonnews – @anonops – @anoncmd – @lulzsec
- 36. PasteBin.com • Public and anonymous clipboard. • Developed to easily share source code. • Used by Anonymous to share dox and dumps of stolen information.
- 37. CloudFlare.com
- 38. CloudFlare.com • Distributed cloud IDS/IPS. • Hides your real server IP. • Stops DDOS attacks. • FREE!
- 39. Hidemyass.com • VPN Service • Anonymous internet identity – 18,000 unique IP addresses
- 40. Doxing • Public dump of an individuals personal information. • Often leads to real life harassment.
- 41. Blackout Faxing
- 42. Low Orbit Ion Cannon
- 43. Low Orbit Ion Cannon • Network stress testing tool. – (Read DDOS tool) • Written by Anonymous members. • Hivemind – Allows machines to join a voluntary botnet. • Open source project hosted on sf.net
- 44. SQLMAP • Open source database penetration testing tool. • Works on the major SQL databases – MySQL – Oracle – PostgreSQL – Microsoft SQL • “Wizard” mode. • Ability to give you a root shell on Linux machines. • Open source project hosted on sf.net
- 45. SQLMAP
- 46. No Known 0-Days
- 47. The Campaigns
- 48. Epilepsy Foundation Forums Date March 2008 Targets Epilepsy Foundation of America National Society for Epilepsy Attack Method Posting flashing images on the forums frequented by epilepsy sufferers in the attempt to cause seizures and migraine headaches.
- 49. No Cussing Club
- 50. No Cussing Club Date January 2009 Target McKay Hatch Attack Method • Posted his and his families address, email and phone number online. • Harassed him via email and phone calls. • Pizza bombed his house. • Subscribed him to over 100 pornographic magazines.
- 51. Operation Titstorm Date February 2010 Target Australian government for passing anti- pornography law dealing with animated pornography. Attack Method DDOS: • Australian Parliament Defaced: • Australian Prime Minister Fax Attack: • Australian Government communications department.
- 53. Operation Payback Date September 2010 Target Aiplex Software for DDOSing sharing sites after they refused to remove copyrighted material. Attack Method DDOS: • ACS:Law • Australian Federation Against Copyright Theft • ACAPOR • Ministry of Sound • Spanish Copyright Society SQLI: • UK Intellectual Property Office Defaced: • GeneSimmons.com
- 54. Operation Avenge Assange Date December 2010 Target Companies who stopped process donations to Assange or stopped hosting wikileaks content. Attack Method DDOS: • PostFinance • Swedish Prosecution Authority • EveryDNS • MasterCard • Borgstrom and Bodström • Visa • PayPal • PayPal API • Sarah Palin • Joseph Lieberman Aborted DDOS: • Amazon
- 55. Operation Sony
- 56. Operation Sony Date February 2011 Target Sony for their lawsuit against George Hotz who hacked the PS3. Attack Method SQLI: • Sony PlayStation Network • Sony Online Entertainment • Sony BMG America • Sony Music Japan • Sony BMG Greece • Sony Portugal
- 58. Operation Tunisia Date May 2011 Target Tunisian Government Websites Attack Method DDOS: • President • Prime Minister • Ammar 404 • Ministry of Industry • Ministry of Foreign Affairs • Tunisian Stock Exchange
- 59. Operation Egypt Date May 2011 Target Egyptian Government Websites Attack Method DDOS: • Cabinet Minster • Ministry of the Interior • Ministry of Communications and Technology
- 60. HBGary Federal Date February 2011 Target Aaron Barr for a talk he was going to give on exposing anonymous members at a bsides event in San Francisco. Attack Method HBGary.com • SQLI hbgary.com Aaron Barr • Released SSN • Released personal emails • Took over his twitter account • Remotely Wiped IPAD/IPHONE • Exposed his World of Warcraft character name. • Obviously the most embarrassing.
- 61. Operation Anti-Sec Date February 2011 Targets Police associations and federal security contractors for the arrest of anonymous and lulzsec members. Attack Method DDOS: United States Court of Appeals for the Ninth Circuit SQLI: IRC Federal Booz Allen Hamilton Vanguard Defense Missouri Sheriffs' Association Texas Police Chiefs Association Arizona Department of Public Safety DOX: Richard Garcia
- 62. Operation Orlando Date June 2011 Targets The city of Orlando for the arrest of “food not bombs” members for handing out food in city parks without a free permit. Attack Method DDOS: • Orlando Mayor’s website SQLI: • Roman Catholic Diocese of Orlando • Rotary Club of Orlando • Orlando Chamber of Commerce Threat of Physical Violence: • Orlando Mayor
- 63. Orlando Mayor
- 64. Operation Bart Date August 2011 Target BART for shutting down cell phone repeater services to stop protest of the murder of Oscar Grant. Attack Method SQLI: • BART Police Officer’s Association • MyBART.org
- 66. Operation MegaUpload Date January 2012 Targets Anyone involved in the criminal case against Megaupload. Attack Method DDOS: UMG (Universal Music Group) Warner Brothers Music MPAA RIAA United States Department of Justice FBI
- 68. Operation Russia Date February 2012 Targets Email accounts of prominent pro-Kremlin activists and officials. Dispensing that information at @OP_Russia on twitter. Attack Method Email Hack of: Kristina Potupchik Press secretary for Nashi youth movement Oleg Khorokhordin Deputy head of the Department for Internal Affairs at the Presidential Administration Vasily Yakemenko Head of the Federal Agency for Youth Affairs
- 69. What we learned.
- 70. Not Advanced; But Persistent
- 74. Sympathetic Industry? • Brings recognition to their jobs. • Helps increase funding. • Get to LULZ at the victim.
- 75. How can we stop it?
- 78. Hack Yourself
- 79. Hire a Penetration Tester
- 81. Listen!
- 82. Есть вопросы?
- 83. Contact Info • Jerry Gamblin • Network Security Specialist – Missouri House Of Representatives • @jgamblin (twitter) • Jerry.gamblin@gmail.com • www.jerrygamblin.com
- 84. Благодарю вас!
- 85. #LulzSecReborn (They are making a comeback)
Editor's Notes
- #6: “Not an expert”Blew up in my back yard.Had to be able to talk about this to intelligently to the legislature.
- #11: Who is who?They are all basically the same people.
- #12: Guy Fawkes mask on Amazon.
- #13: Guy Fawkes mask on Amazon.
- #14: 4 Chan is an image board/ discussion board.Lots of popular internet memes start there. Lolcats being the most famous.
- #18: Over 50 arrest and search warrants issued fro anonymous members in the united states.
- #19: Arrested because of DDOS on paypal during operation assange.Anon DDOSed TPM to keep these mug shots off line on 9/9/11
- #20: Left: Mercedes Renee Haefer, 20, is a Sony cashier and a student at UNLV.Hilarious interview to gawker after FBI search warrant. http://gawker.com/5757995/an-interview-with-a-target-of-the-fbis-anonymous-probe Right: Tracy Ann Valenzuela, 42Arrested because of DDOS on paypal.
- #22: Leader.Hector Xavier MonsegurTurned CI Last Summer Involved in Operation Wall Street. Highly active on twitter @anonymouSabuCaught by logging into IRC 1 Time form his public IP.
- #23: Jeremy HammondChicagoStratfor HackArizona Department of Public Safetyhttp://www.informationweek.com/news/security/attacks/240000391
- #24: Jake Davis 18 years OldShetland IslandsArrested 7/31/11
- #25: Ryan Ackroyd16 year old girl.Really a 24-year-old and a 20-year-old man.One arrested in YorkshireOne arrested in WiltshireArrested 9/22
- #26: SolmonSalehRan Website.22 year old male.Waiting for mugshotArrested 7/19/11http://www.channel4.com/news/a-love-of-guns-chemistry-and-assange-lulzsec-unmasked
- #27: Ryan Cleary19 Year oldWickford, EssexHosted IRC servers for Lulzsec and DDOSArrested 6/22
- #28: Cody Kretsinger23 years oldUniversity of Advancing TechnologoySony Hack9/23Cisco Security both at defcon
- #29: After arrest had been made. Back into the flock / end of lulzsec.
- #30: W0rmer - Member of Anti-SecBusted when he for got to remove Exif data. http://takedownnews.com/very-revealing-boobs/
- #32: Highly technical.Ex-military. More than one person? State Sponsored (?) Spoke at HackersHalted earlier this month.
- #33: Used IRC to infiltrate group. Gave a great talk at Defcon 19.
- #35: Yes this is still aroundMost active place for anonymous to organize.
- #36: Most public form of communication.
- #37: Missouri Sheriffs association SSN leak had 10K views before removed. Views = ad impressions = money.
- #38: Basically a could based IDS/IPS
- #39: 10,000 or 25% new request 3 months after lulzsecannouced use of service.
- #40: Anonymous hates them now.Collected connection info / not activity.Recursion arrested via this.
- #42: IneffectiveMost people have efaxes now.
- #50: McKay Hatch
- #56: 70 million records from the PSN hack. Anon doesn’t take credit for it. 25 million records from SOE.5 million from other hacks.
- #57: 70 million records from the PSN hack. Anon doesn’t take credit for it. 25 million records from SOE.5 million from other hacks.
- #59: DDOS stopped when ammar 404 blocked access to these servers from outside the country.
- #64: Most Serious Threat.
- #66: In October 2011, the collective campaigned against child pornography protected by TOR to host child porn sites.They published the names of over 1500 people frequenting those websites,and invited the FBI and Interpol to follow up.
- #68: Vatican website was brought down temporarily by a DDoS attack from Anonymous on March 7
- #74: Never hacked “bart.gov”
- #77: When you cant get your admins to follow your advice you are not doing it right.
- #79: You have access to the same tools these guys use. You should really consider using them.
- #80: There are a bunch of good pen testers around locally.
- #81: Know who your associates are.Talk security with them.
- #82: Being an active listener is key to staying on top of groups like this.Often they announce targets before hack.
- #83: Any Questions
- #85: Thank You!
- #86: A group using the name Lulzsec stole 139,000 accounts from militarysingles.com in march. http://threatpost.com/en_us/blogs/anatomy-lulzsec-attack-singles-out-web-20-weakness-052312http://pastebin.com/JRY3cA5T